Event Rule Threshold - False positives from 'Simulate event processing'

Kelly Logan · ‎05-12-2025

I have created two rules for CPU utilization, one that creates a Warning severity alert for > 80 %, and one that creates a Critical severity alert for > 95%.

I put the 95% at order 150 so it would check for that first, then the 80% at order 200.

When I try to use 'Simulate event processing' on a past CPU event, it matches against the 95%, even when the amount is less than 95. Any ideas why?

I even tried matching the value using (\d+) instead of (.*) to see if it would cast it to a numeric value. No change.

Any thoughts on how I can get this to work? We are on Yokohama.

Kelly Logan · ‎05-13-2025

Two things:

I had not set the first rule to 'Apply additional matching rules'. Once I did, the 80-95% rule matched as well.
The 'Simulate event processing' will still say matching on the first rule because apparently threshold is only evaluated *after* the matching and transformation steps, so now the simulated alert lists both a match for 95% and then a second match for the 80-95% rule.

View solution in original post

Kelly Logan · ‎05-13-2025

Two things:

I had not set the first rule to 'Apply additional matching rules'. Once I did, the 80-95% rule matched as well.
The 'Simulate event processing' will still say matching on the first rule because apparently threshold is only evaluated *after* the matching and transformation steps, so now the simulated alert lists both a match for 95% and then a second match for the 80-95% rule.